Locking Out Identity Thieves

Why are data collectors blocking efforts to require notice of a security breach?

ByThe Monitor's ViewMarch 24, 2005

The hyperabundance of personal information and public data that exists on the Internet today makes identity theft a larger concern than ever. In just the past few weeks, hackers have gotten into the computers of the legal and consumer data warehousing company, LexisNexis, taking the personal data of some 32,000 people. Boston College recently warned some 120,000 alumni that their identities could be compromised as a result of a computer breach.

In fact, a recent national poll showed nearly 25 percent of respondents claimed their personal information had been stolen. The Federal Trade Commission estimates some 10 million individuals a year become victims of identity theft, and reports losses due to identity theft at over $50 billion annually. And for those who've had their identities purloined by cyber-thieves, recovery of one's good name and credit history has become increasingly lengthy and tedious - not to mention the loss of actual money.

Calls for something to be done about the problem are rightly ringing louder in statehouses and on Capitol Hill. Yet finding the necessary balance between the need to make the Internet a trusted platform for exchanging sensitive information and keeping it wide open for global use will take time.

One problem, however, needs urgent attention: The thousands of companies that collect and sell mountains of personal data available on the Web that still aren't regulated, or don't abide by their own codes of conduct.

Take ChoicePoint, a publicly traded information company with revenues upward of $1 billion. It reported last month it mistakenly sold private data on some 145,000 individuals to criminals posing as legitimate businessmen. Unfortunately, the company waited for months before letting anyone know that sensitive information had been transferred. In fact, it was a California security-breach law that requires data companies to notify consumers when security is compromised that forced ChoicePoint to go public with its error.

Congress and some 20 other states are considering similar legislation, but politically powerful information businesses (citing a cost issue) want to notify customers only if a significant risk of identity theft can be shown - and are slowing down the legislative process. That risk has yet to be spelled out in any meaningful way.

Privacy advocates want a national "Do Not Issue" credit list (modeled after the successful "Do Not Call" list) that would let consumers "freeze" their credit history, keeping anyone from accessing it without obtaining permission. One problem that critics point out: Consumers might also limit their own ability to obtain credit. But that's a small price to pay for privacy and a more secure online identity.

Clearly, lawmakers and business need to work together to keep identity theft in check. Meantime, individuals should be sure to have a paper shredder handy (far more identity theft still occurs offline), closely monitor their accounts, and have updated firewall software installed on their PCs. And they should exercise discretion in giving out information online, especially their Social Security number - the "golden key" of identity - to websites or individuals that aren't reliable.